RADIUS authentication question

I am trying to use my normal Active Directory username to authenticate to my switches. I currently have a RADIUS server setup (Microsoft IAS 2003). I know that it works because my VPN concentrator uses it to authenticate people. I am unable to login to my switch with the following configuration:

aaa new-model

aaa group server radius RADIUS

server 10.101.64.14 auth-port 1645 acct-port 1646

!

aaa authentication login use-radius group radius local

aaa authentication login localuser local

aaa authentication dot1x default group radius

aaa authorization exec default local

aaa authorization network default group radius

...

radius-server host 10.x.64.14 auth-port 1645 acct-port 1646 key xxx

radius-server source-ports 1645-1646

The logs on my server don't even show that a request was attempted which leads me to believe that I have a misconfiguration somewhere. I can only authenticate using the localuser user account and none from my domain. Is there something I need to change or do on the AD side of things to tell the switch to allow on my AD account to authenticate to it? Does my configuration look good? I know the key is correct as well.

I think that you now have the correct understanding of the fall back logic of AAA and Radius server. It is one OR the other at any point in time and the primary (in our discussion primary is Radius) will be used when it is available.

If you are satisfied to have everyone access enable mode by entering the enable password, then what you have in the configuration works ok. I suggested configuring aaa authentication for enable because I think that it gives you more control. You can configure enable authentication similar to login authentication so that it will go to the Radius server as primary and use the local enable password as a backup. Going to the Radius server means that you can configure at the individual level who should have enable access, gives you an option to periodically force change in passwords, and when someone leaves the organization it is easy to remove their enable access to all routers and switches without having to configure new enable passwords on all devices. It is certainly your choice to do it either way.

Replies

From what you posted your device will try to use radius for lines that specify use-radius but you do not show what - if anything - is configured to use this. Normal authentication is configured to just use locally configured names and password.

Can you tell us that is configured for use-radius and whether you are testing from these lines?

So I have made some progress!!! I can successfully login with my AD username/pass however, it says "Press RETURN to get started" so I do but it immediately kicks me out. I am posting a fresh aaa/line config to update on how my config looks:

I have tried ading those lines and it didn't really help. I am still kicked out as soon as it authenticates me to the RADIUS server. There are no messages that tell me that something has timed out or anything of that sort.

Also now that I added those two lines I can login via the local account but I can't get to priviliged exec mode it tells me:

Thanks for posting the additional information. Based on this I do have a few suggestions:

- clearly you do have it configured to authenticate telnet access (or SSH) to the Radius server with backup of the local username. I am not clear whether you are really authenticating with the Radius server or if it is falling back to local authentication. Are there log records on the Radius server that indicate whether it is seeing the authentication request and if so whether it is passing or failing?

Now I can't login with my local account. So it looks like I have to choose one or the other but I can't figure out why it won't allow local authentication if I use a local username OR AD authentication if I use an AD account.

Maybe I am not as clear on what is going on as I thought I was. Based on the config that you posted there is nothing that uses the line:

aaa authentication login dharmacon local

but you say that if you remove it you can no longer authenticate with a local username. I would have expected that outcome if you removed this line:

aaa authentication login RADIUS group radius local

Perhaps we also need to talk a bit more about the way that AAA authentication works. You seem to want the ability to authenticate with AD or local username interchangeably. You can set up different ports to work differently (perhaps vty starts with Radius and console starts with local username) and you can configure AAA to have a primary authentication method and a backup. But it does not offer interchangeability as an option. So you could configure it to authenticate with Radius/AD as the primary method and local as a backup. But if Radius is configured as primary then it will authenticate with Radius and only use local usernames if communication with Radius fails.

Perhaps you can clarify what is working as you expect. And if some things are not working as you expect (or as you want) then perhaps you can give us specifics about them.

Thanks for the clarification. What I am expecting is the AAA should use RADIUS primarily and if that is unavailable to then use local accounts. So let's say that I have an AD account called bryan.lofland and I use it to log in with to config my switches/routers (currently works). What if I want to use the local account "dharmacon" to login instead of my AD account? I can't seem to do that right now. So it looks like the falling back onto the local account isn't working.

So with this running-config I can login with my AD account however I can't login with the local username dharmacon.:

I hope that we can get this resolved. I do not want to be overly picky, but I still am getting some ambiguity about what you want it to do. First you say:

"What I am expecting is the AAA should use RADIUS primarily and if that is unavailable to then use local accounts"

and you say that this is working. But then you say:

"What if I want to use the local account "dharmacon" to login instead of my AD account"

The local account will function as a backup if the router can not get to the Radius server. But as long as the router can get to the Radius server it will not use the local account.

Perhaps part of the issue is who will determine if it is time to fall back. You do not decide "this time I would like to use my local account" but the router will decide that if it has attempted to authenticate with Radius and the server is not available then it will choose to fall back to the local account.

I have a couple of comments about the AAA in the config that you posted.

As configured the console will authenticate with this line (the default method):

aaa authentication login default group radius local

and the vty lines will authenticate with this line:

aaa authentication login RADIUS group radius local

I do not see anything in the config that uses the line:

aaa authentication login dharmacon local

and I do not see any line for authentication of enable mode.

I am glad to see that you added the if-authenticated to the authorization line.

I appreciate your help! I was mistaken about the definition of "falling back". I was thinking that even if the RADIUS server was up I could still use the local login but that is not the case. I have removed the:

aaa authentication login dharmacon local

line because of it's lack of use. I haven't added any line about authentication of enable mode because I don't know what that would get me? When I type en at the prompt I am prompted for a password and it lets me so I assumed that that was good enough.

So as I understand it and as I have it configured RADIUS is used anytime I login UNLESS it is unavailable and THEN local authentication is used.

I think that you now have the correct understanding of the fall back logic of AAA and Radius server. It is one OR the other at any point in time and the primary (in our discussion primary is Radius) will be used when it is available.

If you are satisfied to have everyone access enable mode by entering the enable password, then what you have in the configuration works ok. I suggested configuring aaa authentication for enable because I think that it gives you more control. You can configure enable authentication similar to login authentication so that it will go to the Radius server as primary and use the local enable password as a backup. Going to the Radius server means that you can configure at the individual level who should have enable access, gives you an option to periodically force change in passwords, and when someone leaves the organization it is easy to remove their enable access to all routers and switches without having to configure new enable passwords on all devices. It is certainly your choice to do it either way.

It has been a good discussion. I am glad that we have helped you achieve a better understanding. Thank you for the ratings and the resolved check mark.

Limiting users enable access is not something that is done on the switch/router. I have done it using Cisco ACS. I assume that the capability also exists in Radius/AD. But I can not give you specifics of how to do it there.